假设一个网站在多台服务器之间进行负载平衡。我想运行一个命令来测试它是否正常工作,例如curl DOMAIN.TLD
。因此,为了隔离每个 IP 地址,我会手动指定 IP。但许多网站可能托管在服务器上,因此我仍然会提供一个主机标头,如下所示:curl IP_ADDRESS -H 'Host: DOMAIN.TLD'
。据我了解,这两个命令会创建完全相同的 HTTP 请求。唯一的区别是,在后者中,我从 cURL 中取出 DNS 查找部分并手动执行此操作(如果我错了,请纠正我)。
到目前为止一切顺利。但现在我想对 HTTPS URL 执行相同操作。同样,我可以像这样测试它curl https://DOMAIN.TLD
。但我想手动指定 IP,所以我运行curl https://IP_ADDRESS -H 'Host: DOMAIN.TLD'
。现在我收到 cURL 错误:
curl: (51) SSL: certificate subject name 'DOMAIN.TLD' does not match target host name 'IP_ADDRESS'.
我当然可以通过告诉 cURL 不要关心证书(“-k”选项)来解决这个问题,但这并不理想。
有没有办法将连接的 IP 地址与经过 SSL 认证的主机隔离?
答案1
我认为通过 cURL 手册找到了解决方案:
curl https://DOMAIN.EXAMPLE --resolve 'DOMAIN.EXAMPLE:443:192.0.2.17'
在 [curl] 7.21.3 中添加。在 7.42.0 中添加了删除支持。
答案2
这是man
当前获得最多赞同的答案的条目,因为它们仅包含了指向程序化组件的链接:
--resolve <host:port:address>
Provide a custom address for a specific host and port pair. Using
this, you can make the curl requests(s) use a specified address and
prevent the otherwise normally resolved address to be used. Consider
it a sort of /etc/hosts alternative provided on the command line.
The port number should be the number used for the specific protocol
the host will be used for. It means you need several entries if you
want to provide address for the same host but different ports.
The provided address set by this option will be used even if -4,
--ipv4 or -6, --ipv6 is set to make curl use another IP version.
This option can be used many times to add many host names to resolve.
Added in 7.21.3.
但是由于给出的限制(“这意味着如果您想为同一主机但不同的端口提供地址,则需要多个条目。”),我会考虑另一个可以同时翻译两者的较新的选项:
--connect-to <HOST1:PORT1:HOST2:PORT2>
For a request to the given HOST:PORT pair, connect to
CONNECT-TO-HOST:CONNECT-TO-PORT instead. This option is suitable
to direct requests at a specific server, e.g. at a specific cluster
node in a cluster of servers. This option is only used to establish
the network connection. It does NOT affect the hostname/port that
is used for TLS/SSL (e.g. SNI, certificate verification) or for
the application protocols. "host" and "port" may be the empty string,
meaning "any host/port". "connect-to-host" and "connect-to-port"
may also be the empty string, meaning "use the request's original host/port".
This option can be used many times to add many connect rules.
See also --resolve and -H, --header.
Added in 7.49.0.
使用示例--connect-to
:
curl https://domain.example --connect-to domain.example:443:203.0.113.81:443
答案3
您可以在 /etc/hosts 中进行更改,让服务器认为该域位于某个 IP。
语法如下:
192.168.10.20 www.domain.tld
这将使得 cURL 使用您想要的 IP 地址,而无需破坏 SSL 证书。
答案4
如果你在 Windows 中运行 curl,请使用双引号
curl https://DOMAIN.TLD --resolve "DOMAIN.TLD:443:IP_ADDRESS"
curl DOMAIN.TLD --resolve "DOMAIN.TLD:80:IP_ADDRESS"
您可以跳过前面的方案/协议,但不能跳过--resolve 字符串中的端口号。